@contractspec/lib.identity-rbac 1.57.0 → 1.58.0

package/dist/browser/contracts/rbac.js

@@ -0,0 +1,599 @@
+// src/contracts/user.ts
+import { SchemaModel, ScalarTypeEnum } from "@contractspec/lib.schema";
+import { defineCommand, defineQuery } from "@contractspec/lib.contracts";
+var OWNERS = ["platform.identity-rbac"];
+var UserProfileModel = new SchemaModel({
+  name: "UserProfile",
+  description: "User profile information",
+  fields: {
+    id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
+    emailVerified: { type: ScalarTypeEnum.Boolean(), isOptional: false },
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true },
+    role: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    onboardingCompleted: { type: ScalarTypeEnum.Boolean(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false }
+  }
+});
+var CreateUserInputModel = new SchemaModel({
+  name: "CreateUserInput",
+  description: "Input for creating a new user",
+  fields: {
+    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    password: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
+  }
+});
+var UpdateUserInputModel = new SchemaModel({
+  name: "UpdateUserInput",
+  description: "Input for updating a user profile",
+  fields: {
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true }
+  }
+});
+var DeleteUserInputModel = new SchemaModel({
+  name: "DeleteUserInput",
+  description: "Input for deleting a user",
+  fields: {
+    confirmEmail: { type: ScalarTypeEnum.EmailAddress(), isOptional: false }
+  }
+});
+var SuccessResultModel = new SchemaModel({
+  name: "SuccessResult",
+  description: "Simple success result",
+  fields: {
+    success: { type: ScalarTypeEnum.Boolean(), isOptional: false }
+  }
+});
+var UserDeletedPayloadModel = new SchemaModel({
+  name: "UserDeletedPayload",
+  description: "Payload for user deleted event",
+  fields: {
+    userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }
+  }
+});
+var ListUsersInputModel = new SchemaModel({
+  name: "ListUsersInput",
+  description: "Input for listing users",
+  fields: {
+    limit: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
+    offset: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
+    search: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
+  }
+});
+var ListUsersOutputModel = new SchemaModel({
+  name: "ListUsersOutput",
+  description: "Output for listing users",
+  fields: {
+    users: { type: UserProfileModel, isOptional: false, isArray: true },
+    total: { type: ScalarTypeEnum.Int_unsecure(), isOptional: false }
+  }
+});
+var CreateUserContract = defineCommand({
+  meta: {
+    key: "identity.user.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "create"],
+    description: "Create a new user account.",
+    goal: "Register a new user in the system.",
+    context: "Used during signup flows. May trigger email verification."
+  },
+  io: {
+    input: CreateUserInputModel,
+    output: UserProfileModel,
+    errors: {
+      EMAIL_EXISTS: {
+        description: "A user with this email already exists",
+        http: 409,
+        gqlCode: "EMAIL_EXISTS",
+        when: "Email is already registered"
+      }
+    }
+  },
+  policy: {
+    auth: "anonymous"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.created",
+        version: "1.0.0",
+        when: "User is successfully created",
+        payload: UserProfileModel
+      }
+    ],
+    audit: ["user.created"]
+  }
+});
+var GetCurrentUserContract = defineQuery({
+  meta: {
+    key: "identity.user.me",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "profile"],
+    description: "Get the current authenticated user profile.",
+    goal: "Retrieve user profile for the authenticated session.",
+    context: "Called on app load and after profile updates."
+  },
+  io: {
+    input: null,
+    output: UserProfileModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var UpdateUserContract = defineCommand({
+  meta: {
+    key: "identity.user.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "update"],
+    description: "Update user profile information.",
+    goal: "Allow users to update their profile.",
+    context: "Self-service profile updates."
+  },
+  io: {
+    input: UpdateUserInputModel,
+    output: UserProfileModel
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.updated",
+        version: "1.0.0",
+        when: "User profile is updated",
+        payload: UserProfileModel
+      }
+    ],
+    audit: ["user.updated"]
+  }
+});
+var DeleteUserContract = defineCommand({
+  meta: {
+    key: "identity.user.delete",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "delete"],
+    description: "Delete user account and all associated data.",
+    goal: "Allow users to delete their account (GDPR compliance).",
+    context: "Self-service account deletion. Cascades to memberships, sessions, etc."
+  },
+  io: {
+    input: DeleteUserInputModel,
+    output: SuccessResultModel
+  },
+  policy: {
+    auth: "user",
+    escalate: "human_review"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.deleted",
+        version: "1.0.0",
+        when: "User account is deleted",
+        payload: UserDeletedPayloadModel
+      }
+    ],
+    audit: ["user.deleted"]
+  }
+});
+var ListUsersContract = defineQuery({
+  meta: {
+    key: "identity.user.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "admin", "list"],
+    description: "List all users (admin only).",
+    goal: "Allow admins to browse and manage users.",
+    context: "Admin dashboard user management."
+  },
+  io: {
+    input: ListUsersInputModel,
+    output: ListUsersOutputModel
+  },
+  policy: {
+    auth: "admin"
+  }
+});
+
+// src/contracts/rbac.ts
+import { SchemaModel as SchemaModel2, ScalarTypeEnum as ScalarTypeEnum2 } from "@contractspec/lib.schema";
+import { defineCommand as defineCommand2, defineQuery as defineQuery2 } from "@contractspec/lib.contracts";
+var RoleModel = new SchemaModel2({
+  name: "Role",
+  description: "RBAC role definition",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum2.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
+  }
+});
+var PolicyBindingModel = new SchemaModel2({
+  name: "PolicyBinding",
+  description: "Role assignment to a target",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    targetType: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    targetId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
+    role: { type: RoleModel, isOptional: false }
+  }
+});
+var PermissionCheckResultModel = new SchemaModel2({
+  name: "PermissionCheckResult",
+  description: "Result of a permission check",
+  fields: {
+    allowed: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
+    reason: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    matchedRole: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var CreateRoleInputModel = new SchemaModel2({
+  name: "CreateRoleInput",
+  description: "Input for creating a role",
+  fields: {
+    name: { type: ScalarTypeEnum2.NonEmptyString(), isOptional: false },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum2.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    }
+  }
+});
+var UpdateRoleInputModel = new SchemaModel2({
+  name: "UpdateRoleInput",
+  description: "Input for updating a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum2.String_unsecure(),
+      isOptional: true,
+      isArray: true
+    }
+  }
+});
+var DeleteRoleInputModel = new SchemaModel2({
+  name: "DeleteRoleInput",
+  description: "Input for deleting a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var ListRolesOutputModel = new SchemaModel2({
+  name: "ListRolesOutput",
+  description: "Output for listing roles",
+  fields: {
+    roles: { type: RoleModel, isOptional: false, isArray: true }
+  }
+});
+var AssignRoleInputModel = new SchemaModel2({
+  name: "AssignRoleInput",
+  description: "Input for assigning a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    targetType: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    targetId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true }
+  }
+});
+var RevokeRoleInputModel = new SchemaModel2({
+  name: "RevokeRoleInput",
+  description: "Input for revoking a role",
+  fields: {
+    bindingId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var BindingIdPayloadModel = new SchemaModel2({
+  name: "BindingIdPayload",
+  description: "Payload with binding ID",
+  fields: {
+    bindingId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var CheckPermissionInputModel = new SchemaModel2({
+  name: "CheckPermissionInput",
+  description: "Input for checking a permission",
+  fields: {
+    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    permission: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var ListUserPermissionsInputModel = new SchemaModel2({
+  name: "ListUserPermissionsInput",
+  description: "Input for listing user permissions",
+  fields: {
+    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var ListUserPermissionsOutputModel = new SchemaModel2({
+  name: "ListUserPermissionsOutput",
+  description: "Output for listing user permissions",
+  fields: {
+    permissions: {
+      type: ScalarTypeEnum2.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    },
+    roles: { type: RoleModel, isOptional: false, isArray: true }
+  }
+});
+var CreateRoleContract = defineCommand2({
+  meta: {
+    key: "identity.rbac.role.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "create"],
+    description: "Create a new role with permissions.",
+    goal: "Allow admins to define custom roles.",
+    context: "Role management in admin settings."
+  },
+  io: {
+    input: CreateRoleInputModel,
+    output: RoleModel,
+    errors: {
+      ROLE_EXISTS: {
+        description: "A role with this name already exists",
+        http: 409,
+        gqlCode: "ROLE_EXISTS",
+        when: "Role name is taken"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.created"]
+  }
+});
+var UpdateRoleContract = defineCommand2({
+  meta: {
+    key: "identity.rbac.role.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "update"],
+    description: "Update an existing role.",
+    goal: "Allow admins to modify role permissions.",
+    context: "Role management in admin settings."
+  },
+  io: {
+    input: UpdateRoleInputModel,
+    output: RoleModel
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.updated"]
+  }
+});
+var DeleteRoleContract = defineCommand2({
+  meta: {
+    key: "identity.rbac.role.delete",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "delete"],
+    description: "Delete an existing role.",
+    goal: "Allow admins to remove unused roles.",
+    context: "Role management. Removes all policy bindings using this role."
+  },
+  io: {
+    input: DeleteRoleInputModel,
+    output: SuccessResultModel,
+    errors: {
+      ROLE_IN_USE: {
+        description: "Role is still assigned to users or organizations",
+        http: 409,
+        gqlCode: "ROLE_IN_USE",
+        when: "Role has active bindings"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.deleted"]
+  }
+});
+var ListRolesContract = defineQuery2({
+  meta: {
+    key: "identity.rbac.role.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "list"],
+    description: "List all available roles.",
+    goal: "Show available roles for assignment.",
+    context: "Role assignment UI."
+  },
+  io: {
+    input: null,
+    output: ListRolesOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var AssignRoleContract = defineCommand2({
+  meta: {
+    key: "identity.rbac.assign",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "assign"],
+    description: "Assign a role to a user or organization.",
+    goal: "Grant permissions via role assignment.",
+    context: "User/org permission management."
+  },
+  io: {
+    input: AssignRoleInputModel,
+    output: PolicyBindingModel,
+    errors: {
+      ROLE_NOT_FOUND: {
+        description: "The specified role does not exist",
+        http: 404,
+        gqlCode: "ROLE_NOT_FOUND",
+        when: "Role ID is invalid"
+      },
+      ALREADY_ASSIGNED: {
+        description: "This role is already assigned to the target",
+        http: 409,
+        gqlCode: "ALREADY_ASSIGNED",
+        when: "Binding already exists"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "role.assigned",
+        version: "1.0.0",
+        when: "Role is assigned",
+        payload: PolicyBindingModel
+      }
+    ],
+    audit: ["role.assigned"]
+  }
+});
+var RevokeRoleContract = defineCommand2({
+  meta: {
+    key: "identity.rbac.revoke",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "revoke"],
+    description: "Revoke a role from a user or organization.",
+    goal: "Remove permissions via role revocation.",
+    context: "User/org permission management."
+  },
+  io: {
+    input: RevokeRoleInputModel,
+    output: SuccessResultModel,
+    errors: {
+      BINDING_NOT_FOUND: {
+        description: "The policy binding does not exist",
+        http: 404,
+        gqlCode: "BINDING_NOT_FOUND",
+        when: "Binding ID is invalid"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "role.revoked",
+        version: "1.0.0",
+        when: "Role is revoked",
+        payload: BindingIdPayloadModel
+      }
+    ],
+    audit: ["role.revoked"]
+  }
+});
+var CheckPermissionContract = defineQuery2({
+  meta: {
+    key: "identity.rbac.check",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "check", "permission"],
+    description: "Check if a user has a specific permission.",
+    goal: "Authorization check before sensitive operations.",
+    context: "Called by other services to verify permissions."
+  },
+  io: {
+    input: CheckPermissionInputModel,
+    output: PermissionCheckResultModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var ListUserPermissionsContract = defineQuery2({
+  meta: {
+    key: "identity.rbac.permissions",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "permissions", "user"],
+    description: "List all permissions for a user in a context.",
+    goal: "Show what a user can do in an org.",
+    context: "UI permission display, debugging."
+  },
+  io: {
+    input: ListUserPermissionsInputModel,
+    output: ListUserPermissionsOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+export {
+  UpdateRoleInputModel,
+  UpdateRoleContract,
+  RoleModel,
+  RevokeRoleInputModel,
+  RevokeRoleContract,
+  PolicyBindingModel,
+  PermissionCheckResultModel,
+  ListUserPermissionsOutputModel,
+  ListUserPermissionsInputModel,
+  ListUserPermissionsContract,
+  ListRolesOutputModel,
+  ListRolesContract,
+  DeleteRoleInputModel,
+  DeleteRoleContract,
+  CreateRoleInputModel,
+  CreateRoleContract,
+  CheckPermissionInputModel,
+  CheckPermissionContract,
+  BindingIdPayloadModel,
+  AssignRoleInputModel,
+  AssignRoleContract
+};